 Live from the MGM Grand Hotel in Las Vegas. Extracting the signal from the noise. It's theCUBE, covering Splunk.com 2015. Brought to you by Splunk. Now, here are your hosts, John Furrier and Jeff Frick. Okay, welcome back everyone. We're live here in Las Vegas for Splunk.com. I'm John Furrier with SiliconANGLE theCUBE. My coach, Jeff Frick. Our next guest is Michael Gough, a founder of Malware Archeology. You're on LinkedIn profile, says security analyst, not telling you hackers, welcome to theCUBE. So I never heard that coming, not telling you hackers, Inc. Tell us why you have that on your profile. When my anniversary comes up, it says congratulate Michael. He's been at, I'm not telling you hackers for three years. The idea behind that is I don't want the hackers to actually know where I work because it causes me to be a target if they want to go after the industry. And they just do it as sport? I mean, it's just more of a hacker, just. Well, why do mountain climbers climb? Because they can. Why do hackers hack? Because they can. Hacking is unfortunately a very profitable industry. Gaming, it's guests are estimated that it's a $1 billion underground industry. So there's a lot of money to be made with fake gold or gaming gold. So there's a lot of financial benefit from hackers and so they want to target companies for specific data, healthcare data, obviously it's personal information. So that's valuable to them. And it's worth a lot of money. And the trends now are obviously more highlighted by the fact that APIs and cloud is here. People have no perimeters. And so. Perimeters are no longer as easy to define as they used to be. What's the paradigm? What is the solution? What's, I mean, it's like punching the monkey. What's it? It's like, you're really. Whack-a-mole. Whack-a-mole, whatever, whack-a-mole, yeah. You have to treat the cloud or you have to treat your end points, treat your environments, your partner environments. Rule number one, have to know what you're protecting in order to protect it. Whether it's cloud, whether it's internal systems, whether it's your own stuff, whether it's a partner network, that's a very important concept. So know what you're going to have. I tell people, don't treat the cloud any differently. They're just servers. They're just not in your building. So you can load your agents, you can load your security solutions. You can't unfortunately put your appliances out there but you can put soft appliances out there, virtual appliances out there, or load agents and send it back to the mothership. And really that's how people should treat the cloud in regards to security risks. One of the big trends here at Splunk is obviously IoT, mobile first has been out there for a while. Malware has been a big problem on mobile and we had Swisscom on earlier today talking about 50% of their malware that they're seeing on mobile is coming from iPhone, which is kind of counter to people think iPhone is secure but yet it's Android and just as less secure as an iPhone. So malware is a big problem. You got phishing, all these new attacks. How do we prevent that? What's the state of that? Is it access to the data? Is it more preventative or identification? I think the vendors have to step up. If you look at what Google's doing with all the versions of Android, there's a real problem with the vendors that have Android patching that. So there's a kind of a movement to get better at that. There's, I want to say something like 27 versions of Android. I'm pretty sure I got the number wrong, but it's a lot. How many versions of iOS are there? A couple. So the industry has to move towards, more towards controlling that operating system so when these things are discovered, they can actually take action. Verizon can patch something fairly quickly or AT&T, Samsung can do it on their own. Apple's unique. It's one company controlling its one OS. So when some things they decide to patch, they can send it out. It's easier. The Android really needs to catch up the way Apple does it and I'm seeing a lot of movement there. So I think that's the right direction. Loading agents on the phone, probably not. Get better at maybe re-imaging the phone. Maybe have policies not to have certain data on the phone. But for the most part, I think that's still evolving. So we're not quite sure exactly what the end point's going to look like there on the mobile. So what's your role here at Splunkoff? What are you looking at? What's your agenda here and what have you learned and what's your conversations like? Well, mine are unique because I like malware. I call myself a logaholic. So hello, I'm Michael, I'm a logaholic. And I love malware, I'm a malware archeologist. Archeology's the study of mankind's artifacts and well, malware artifacts is malware archeology. So I'm solely looking at logging. I'm trying to promote at Splunk. I did a talk here at dot com in regards to configuring the endpoint better than we're doing it now. So I can put a Splunk agent, Splunk install for any kind of endpoint management solution in place. But if I don't enable the right things, the data I'm going to get is garbage. So my goal at this conference in my talk was to talk to people and say, look, we need to enable things, configure the things in Windows logging, for example, turn on the certain audit stuff that's not on and promote getting people to turn this stuff on so they can start seeing the actual artifacts they need to see and Splunk's a great mechanism to search that information. And that's my big promotion here and talking to some of the malware company endpoints that are here. Is it laziness or just more of not familiar with the product or both? On terms of turning around? Yeah, Windows has been around a long time. So I think Microsoft's done a poor job recommending this. Our industry as a whole, we have these ideas of standards tell us to set certain things, but they don't quite go far enough to catch the advanced attacks or even the commodity attacks that occur. And so I think there's a lack of understanding how good this area can be for you. And the fact that you already have the events, you just have to configure them properly, you do have to buy some sort of log management. But I tell people, even if you don't have a Splunk, turn this stuff on because if you call me to come out and clean something up, I really can't help you much because the data's not on the box when I get there. And so that's the big push here, is enable and configure. Share some artifacts that you've discovered or dug up or have collected. I'm sure you got a nice collection of malware that people might not be familiar with that have been in the press. Stuff that's clever and smart that you can share. And what's the current state-of-the-art now for malware? What are some of the techniques? What are the tricks of the trade that these guys are employing that isn't real documented in the public press? Well, the first thing I overhear in my industry is the word sophisticated. This malware was sophisticated. The target CEO and the new market CEO spoke to Congress and said this stuff was so sophisticated none of the AV vendors detected it. That's just wrong. Advanced attacks do not, they know how to get around AV because AV's signature based. So if I tweak it slightly and then send it to you, no AV will pick it up. By design, we all know it's like that. So to make those statements of sophistication confuse things because a lot of people say the POS software was sophisticated. It's really not. The artifacts that are left behind in the case of the POS software installed two services. Services are really easy to detect. And the fact that the retail industry failed to do that is why they got compromised. So some of the really unique things that I've come across, I dealt with a campaign known as WinNTI. It's a Chinese hacking group that attacks the gaming industry. And one of the cool aspects of- Gaming industry as in like video games- Video games as in kids games. Okay, not like lottery games. You know, they're kind of like the League of Legends and you know, yeah, that sort of stuff. Not the gambling as we're in Vegas. And one of the cool artifacts that came out of that was the Chinese managed to infect the management software of the system. So we're talking the Splunk or the backup software or the AV software or your configuration management software. It then, we call these caves, they inserted the malicious code. So when that service normally started up, it didn't break it. It worked perfectly normal. But this little piece of malicious code read a blob in the registry where they stored the malware payload. It pulled that data out of the registry, decrypted it, wrote it to disk where they had modified another service to call that file that didn't exist. So initially when we looked on the box, we saw a service that got tweaked, we could easily see that, pointing to a file that didn't exist. We scratched our heads and went, well, where's the file? And that sent us down the path of turning on and enabling certain command line logs which allowed us to see registry keys, which allowed us to go to the key location and see these funny entries and then realize, ah, it's somehow coming from here, which then led us to the fact that they were compromising the management software to load their malware and hide it in the registry. That's pretty cool. That's sophisticated. Yes, it is. That's a good hack. Yes. But you could not have traced it unless you had kind of followed down the rabbit hole, if you will, through the registry entries back in. So that had to take some work. Yeah. To identify and then do that. So that's kind of, how do you do that at scale? Splunk. Turns out that if you do enable the command line logging, it's one of the things I promoted in my talk today. If you turn this on and you start collecting it, then in Splunk, I can look at that command line logic because when you launch a program, let's say Microsoft Word, if I launch that from the command line, it's much different than if I double click it and explore. And so how it looks inside the logs varies dramatically. And so what I'm looking for is that odd case. Well, these are normal command launches. I see hundreds and thousands of them throw those out, so exclude them. It's kind of like, think of the concept of looking for the needle in the haystack. I'm throwing out all the hay by getting or excluding out the stuff that's normal. And then what happens is all these unique, funny command lines that the hackers execute become very obvious. And that's where I find all the artifacts to point me to where I need to go. So we got a minute left. I'm going to try to squeeze a couple more questions in, but want to get your thoughts on a philosophical view. And I was on Facebook a couple of months ago and maybe more than a couple of months ago. And I tweeted, man, I wish I was a computer science student again. Man, security is so much fun. It's a great, I mean, I love, I kind of geek out on some of the things that you were talking about. It's exciting at an intellectual level to identify the hacks and kind of thwart them. It is kind of a game in a way. So like, there's a new level of young guns that are like the most military. Like where's our Navy SEALs for security? Where are our military forces? Where is the cyber security aspect in this next generation of computer scientists? So the question I have for you is what's your view on that? Should we have more, you know, focus on this? I mean, because certainly if you're a young student, you got to, this has got to be pretty exciting technology wise. What's your thoughts on that whole idea of, you know, cyber teams and for kids who are interested in this, how do they get trained on this? Is there like a drill sergeant? Is that you? What do we do? That's a really good question. So there's a thought that there's a lot of, we lack cyber security experts in our industry. I think that's somewhat true, but I think we have a lot of security engineers out there that don't quite know the details like what I taught today and what I teach in my malware training. I would recommend youngsters definitely talk to their computer science teachers and invite us white hat hackers in to talk. Matter of fact, last week I was at University of Texas doing a guest lecture for their class, about 70 students in the class, trying to get them interested in this field and they even offered a contest with essay to allow them to come, whoever won that to come to the training for free. So I think our community needs to reach out to the students and get them more involved and actually show them what we do for a living to get them excited. Unfortunately- Do they get excited when you show up to them? When I share what I know, yeah, they do because they're like, what? You know, because they've never been exposed to this. The university is more of a theory program, not a practice program. We also have to get the kids involved at a younger age, let them understand. But I also think there's too much emphasis on penetration testing or red teaming, whereas I want blue teamers. I want the guys that are active defenders and the blue team's the defense, the red team's the attackers. And I think the red team in our industry needs to do a better job of getting what they do taught to the defenders, whether it's in government or state or even in an enterprise level and try to get them better detecting the skills like I'm trying to do so that in general we lift the entire industry. But generally we need to get these guys excited. That's generally- We do, we do. So let's show them and have workshops and show them the ponage that we see. Let me demonstrate them. I wish we had more time. You're a great guest to have on theCUBE, but we have to get in the hook again. We want to go longer. This is fun. Security is certainly a big issue. And if you're young out there, it really can be intellectually intoxicating at the science and some of the tactics. If you're like that, that kind of stuff, I think it's really a great opportunity in my opinion. I recommend all students look into securitybesides.org. It's very inexpensive, if not free, conferences all over the world so they can actually go to their local community and sit in a real conference and learn some real detailed information. And can you repeat that again? Securitybesides. So it's the regular spelling of security with B as a boy, S as in Sam, I-D-E-S.org. And there's lots of them. I ran the B-Sides Texas with Michelle Klinger. We had Austin, San Antonio, Houston and Dallas Fort Worth. Great content. Think of it as a mini DEF CON. So students definitely should look into that. All right, of course, we'll have more action here on theCUBE live at SplunkConf. More security action. We'll be right back with more after this short break.